Please give me more of THIS!
The information provided by Okta regarding their recent Intrusion is the type of post-mortem I keep begging for!
On November 6, 2023 Okta, an identity and access management company, released a cyber post-mortem on a recent intrusion into their system by a cyber bad actor (or hacker, if that is your preferred noun.) This is something I truly wish more companies would do. This type of intelligence is invaluable to cyber defenders and the community as a whole. This article is not on the specifics of the details (which can be found HERE) as people smarter than me can discuss the technical specifics.
If you follow me at all on LinkedIn, you know I have three areas I rail on and on about (likely to the chagrin of maybe), Tik Tok (delete it now), whether or not ransomware payments by victims should be criminally prohibited (they shouldn’t), and CYBER INCIDENT POST-MORTEMS. I often call for these type of post-mortems, or hot washed, or incident review (again pick your term of preference) because by understanding how bad guys are gaining access to victim networks we can create and deploy policies, processes, and mindsets that can reduce the risk from these bad actors. Yet, sadly we rarely get this level of detail from victims. This is understandable, as human nature tends to want to avoid admittance of our failures. But I think we have come so far in terms of cyber victimization that we generally understand that most companies have been cyber victims in some way, or just haven’t been a cyber victim yet. The stigma associated with being a cyber victim doesn’t hold the same negative connotation it once did.
The 2021 EO on Cybersecurity from the White House created a Cyber Safety Review Board (CSRB), that was designed to act like the NTSB and respond to major cyber incidents to investigate and provide post-mortems like what Okta did here. I conducted some research and in the time from which the CSRB was “created” it has released two reports: One on Log4j and one on the Lapsus$ hacking group. I am quite certain that in the past 2+ years there have been a few more incidents that might have warranted a larger review. I think this single fact proves that the CSRB can be classified as a colossal failure (feel free to prove me wrong.)
So since the CSRB isn’t going to be here for us, it is incumbent on the private sector (as per our usual agreement) to make post-mortems effective, regular, meaningful, and desired. As a cybersecurity community, we need to help companies commit to doing an in-depth look into cyber incidents of which they were a victim and report the methodologies used by the bad actors to gain access and list tools, tactics, and procedures, (TTPs). This type of cyber intelligence is immensely valuable to everyone and they can be released without revealing victim Intellectual Property, CUI, or other pertinent information outside the scope of the event itself and its post-mortem.
The CSRB isn’t coming anytime soon to provide us this information, so it is incumbent on those of us in the community to make these post-mortems something companies want to do so that we can “Understand the threats targeting all of us.”
Let’s make it happen because #knowledgeisprotection!